S 6.106 Creation of a business continuity plan for the failure of a directory service

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

The partial or complete failure of a directory service will generally have a serious impact on the ability of the users to do their work. When a directory service server fails, it may no longer be possible to perform any server-based tasks, for example. As part of the contingency planning, it is therefore necessary to draw up a concept detailing how the effects of a failure of directory service components can be minimised and which action needs to be taken in case of a failure.

The following aspects must be taken into account in this regard:

Various scenarios in which the directory service system or parts of it become compromised should be examined in the framework of contingency planning. The business continuity plan should describe how to respond and which action to take in each of these scenarios as precisely as possible. The responses should be evaluated regularly.

Contingency planning that is performed well enough in advance and contains specific instructions that can also be followed by personnel who are not familiar with the administration of the system can lessen the impact in the event of damage. It must be noted that the documents for emergency situations contain information requiring protection, which means they must be stored securely. However, authorised persons must be able to access these documents in an emergency.

Each of the following emergency situations should be examined:

Attacks

If an attack, for example an extension of user rights, is detected on a directory service, it cannot be assumed that deleting the corresponding account from the affected systems without performing detailed security analyses will return it to a secure state. In fact, it is necessary to consider the possibility that changes were made to the system configuration or that malicious software programs (e.g. backdoors or Trojan horses) were installed.

To reliably delete potential malware, it is recommended to completely restore the affected directory service components to guarantee a trustworthy basis for the directory service. The data backups created should be used for this purpose, but the documentation of the exact configuration and the security policies of the directory service will also be needed for this purpose. Furthermore, all accounts with extended rights (and especially the accounts in the group of administrators) should be examined at a minimum to ensure all accounts in the group should actually belong to it and immediately assign new passwords to minimise the chances of success of subsequent attacks. The passwords of the user accounts also need to be changed. In addition, the source of the attack should be investigated, and the results and experience gained from the investigation should be integrated into the existing security concepts.

Theft

If directory service components are stolen, then all existing accounts, and especially those with extended rights, should be assigned new passwords immediately. Furthermore, the theft should be investigated and a detailed security analysis performed. The infrastructural security precautions in particular should be extensively modified based on these results. When in doubt, it is recommended to reinstall all components of the entire directory service structure.

In case of an attack or in case of theft, the respective persons responsible should be informed of the improved security concepts and required to follow the requirements in these security concepts.

Misconfigurations

Misconfigurations of the system administration can have a negative impact on the overall structure of a directory service over the course of time. The configurations of directory service systems should be examined regularly for errors. As soon as an error is detected, the scope of the error should be evaluated and corrective measures initiated.

Depending on the software, it may be possible to make the changes needed to eliminate the configuration error directly, but if the problems are more extensive, it may be necessary to restore the system from the latest data backups or even to reinitialise the system. If the reasons for the configuration errors cannot be determined with absolute certainty, then it is recommended to restore the directory service from a backup with a trustworthy state.

In order to avoid repeating the same problems in the future, the security policies must be examined and adapted accordingly, if necessary. Furthermore, operations in the test network and in the production environment must be analysed so as to reduce downtimes and the number of misconfigurations in the live network to a minimum using the experience gained from the operation of the test network.

Failures due to force majeure

The threats posed by force majeure, e.g. by earthquakes, flooding, fire, storm damage, and cable damage, can have a negative impact on the availability of a directory service. Adequate safeguards against these threats must be taken into consideration to increase availability, for example through the use of redundant communication connections or IT systems.

Review questions: